Section 14 of yesterday’s Order, read in isolation, appears to instruct federal agencies to deny Privacy Act protections to Europeans:
Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
Fortunately, our preliminary analysis is that the Order does not actually deny Privacy Act protections to Europeans. An Executive Order, of course, cannot supersede a statute—which Section 14 implicitly acknowledges with its caveat “to the extent consistent with applicable law.”
The “applicable law” here is the Judicial Redress Act of 2015, codified at 5 U.S.C. § 552a note. The Judicial Redress Act extends the right to sue conferred by the Privacy Act to citizens of “covered countries” designated by the Attorney General. And on January 17, 2017, in a little-noticed move, the Attorney General designated 26 countries and the European Union as